Mandiant Threat Intelligence provides automated access to indicators of compromise (IOCs) — IP addresses, domain names, URLs threat actors are using, via the indicators, allows access to full length finished intelligence in the reports, allows for notification of threats to brand and keyword monitoring via the alerts, and finally allows searching for intelligence on the adversary with the search.
This connector has a dependency on the Threat Intel Management Solution Pack. Install the Solution Pack before enabling ingestion of Threat Feeds from this source.
This document provides information about the Mandiant Threat Intelligence Connector, which facilitates automated interactions, with a Mandiant Threat Intelligence server using FortiSOAR™ playbooks. Add the Mandiant Threat Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with Mandiant Threat Intelligence.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.4.1-3167
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Mandiant Threat Intelligence Connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-mandiant-threat-intel
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Mandiant Threat Intelligence connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | The service-based URI to connect and perform the automated operations. |
| Public Key | The unique Mandiant Threat Intelligence Public Key used to create an authentication token required to access the Mandiant Threat Intelligence API. |
| Private Key | The unique Mandiant Threat Intelligence Private Key used to create an authentication token required to access the Mandiant Threat Intelligence API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Indicators | Retrieves all indicators or specific indicators from Mandiant Threat Intelligence based on the input parameters you have specified. | get_indicators Investigation |
| Get Reports | Retrieves all reports or specific reports for threat actors from Mandiant Threat Intelligence based on the input parameters you have specified. | get_reports Investigation |
| Get Alerts | Retrieves all alerts or specific alerts from Mandiant Threat Intelligence based on the input parameters you have specified. | get_alerts Investigation |
| Search Collections | Retrieves all collections or specific collections from Mandiant Threat Intelligence based on the input parameters you have specified. | search_collections Investigation |
| Fetch Indicators | Retrieves all indicators or specific indicators from Mandiant Threat Intelligence based on the input parameters you have specified. | fetch_indicators Investigation |
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| STIX UUID | Specify the STIX ID of the alert object based on which you want to retrieve indicators from Mandiant Threat Intelligence. |
| Status | Select the status of the indicator based on which you want to filter the indicators retrieved from Mandiant Threat Intelligence. You can choose between Active or Revoked. |
The output contains the following populated JSON schema:
{
"id": "",
"type": "",
"objects": [
{
"id": "",
"name": "",
"type": "",
"labels": [],
"created": "",
"revoked": "",
"modified": "",
"is_family": "",
"description": "",
"spec_version": "",
"malware_types": [],
"object_marking_refs": []
},
{
"id": "",
"type": "",
"created": "",
"revoked": "",
"modified": "",
"source_ref": "",
"target_ref": "",
"spec_version": "",
"relationship_type": ""
},
{
"id": "",
"type": "",
"created": "",
"revoked": "",
"modified": "",
"source_ref": "",
"target_ref": "",
"spec_version": "",
"relationship_type": ""
},
{
"id": "",
"type": "",
"labels": [],
"created": "",
"pattern": "",
"revoked": "",
"modified": "",
"confidence": "",
"valid_from": "",
"valid_until": "",
"pattern_type": "",
"spec_version": "",
"indicator_types": [],
"object_marking_refs": [],
"x_fireeye_com_metadata": {
"subscriptions": []
}
},
{
"id": "",
"name": "",
"type": "",
"labels": [],
"created": "",
"revoked": "",
"modified": "",
"spec_version": "",
"infrastructure_types": []
},
{
"id": "",
"type": "",
"created": "",
"definition": {
"tlp": ""
},
"definition_type": ""
},
{
"id": "",
"type": "",
"created": "",
"definition": {
"statement": ""
},
"spec_version": "",
"created_by_ref": "",
"definition_type": ""
},
{
"id": "",
"name": "",
"type": "",
"created": "",
"modified": "",
"spec_version": "",
"identity_class": "",
"object_marking_refs": []
}
],
"spec_version": ""
}
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| Report ID | Specify the STIX ID of the report object based on which you want to retrieve reports from Mandiant Threat Intelligence. |
| Document ID | Specify the Report ID to filter this operation to retrieve details of the specific report from Mandiant Threat Intelligence. |
| Status | Select the status of the report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. You can choose from following options:
|
| Subscription | Select the subscription of the report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
| Report Type | Specify the type of report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. |
| Actor Name | Specify the name of the actor based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. This parameter filters the report results down to a specific actor and returns all matching reports for that actor. |
| Malware Name | Specify the name of the malware based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. This parameter filters the report results down to a specific malware family and returns all matching reports for that malware family. |
The output contains the following populated JSON schema:
{
"id": "",
"type": "",
"objects": [
{
"type": "",
"spec_version": "",
"id": "",
"created_by_ref": "",
"created": "",
"modified": "",
"name": "",
"description": "",
"report_types": [],
"published": "",
"object_marking_refs": [],
"x_fireeye_com_additional_description_sections": {
"analysis": [],
"key_points": []
},
"object_refs": [],
"x_fireeye_com_tracking_info": {
"document_version": "",
"current_release_date": "",
"document_id": ""
},
"x_fireeye_com_metadata": {
"product_type": [],
"subscriptions": []
}
}
]
}
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the alerts were created in Mandiant Threat Intelligence, and from when you want to retrieve alerts from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| ID | Specify the STIX ID of the alert object based on which you want to retrieve alerts from Mandiant Threat Intelligence. |
| Alert Type | Select the type of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
| Alert Status | Select the status of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
| Alert Categories | Select the category of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
| Alert Severity | Select the severity of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"alert_type": "",
"name": "",
"status": "",
"alert_context": [],
"prerequisite_conditions": [],
"object_refs": [],
"action_nature": "",
"description": "",
"created": "",
"modified": "",
"alert_severity": {
"severity_score": ""
},
"spec_version": ""
},
{
"id": "",
"type": "",
"created": "",
"created_by_ref": "",
"definition_type": "",
"definition": {
"statement": ""
},
"spec_version": ""
},
{
"id": "",
"name": "",
"type": "",
"identity_class": "",
"created": "",
"modified": "",
"object_marking_refs": [],
"spec_version": ""
}
],
"id": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Queries | Specify the queries using which you want to retrieve the list of Query Objects from Mandiant Threat Intelligence. Each query object includes its type and properties. |
| Include Connected Objects | Select this option to include objects connected to matching objects, through a reference or relationship, in the search response. |
| Connected Objects | Specify the list of all connections using which you want to retrieve connected objects from Mandiant Threat Intelligence. Connections contain fields such as connection_type, connected_type, object_type, property, or relationship_type. |
| Sort By | Specify the property of the object using which you want to sort results retrieved from Mandiant Threat Intelligence.
NOTE: Sort By is applicable only when the |
| Order By | Specify the sort direction of the results retrieved from Mandiant Threat Intelligence. You can set the sort order to "asc" (ascending) or "desc" (descending). If the sort order is not specified, it defaults to ascending.
NOTE: Sort Order is applicable only when the |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| STIX UUID | Specify the STIX ID of the alert object based on which you want to retrieve indicators from Mandiant Threat Intelligence. |
| Status | Select the status of the indicator based on which you want to filter the indicators retrieved from Mandiant Threat Intelligence. You can choose between Active or Revoked. |
The output contains the following populated JSON schema:
{
"id": "",
"type": "",
"objects": [
{
"id": "",
"type": "",
"labels": [],
"created": "",
"pattern": "",
"revoked": "",
"modified": "",
"confidence": "",
"valid_from": "",
"pattern_type": "",
"spec_version": "",
"indicator_types": [],
"object_marking_refs": [],
"x_fireeye_com_metadata": {
"subscriptions": []
}
}
],
"spec_version": ""
}
The Sample - mandiant-threat-intel - 1.1.0 playbook collection comes bundled with the Mandiant Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Mandiant Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling indicators from Mandiant Threat Intelligence. Currently, the indicators ingested from Mandiant Threat Intelligence is mapped to Threat Feeds in FortiSOAR™'s Threat Intel Management. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Mandiant Threat Intelligence Feeds to FortiSOAR™ Threat Feeds.
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Mandiant Threat Intelligence into FortiSOAR™. It also lets you pull some sample data from Mandiant Threat Intelligence using which you can define the mapping of data between Mandiant Threat Intelligence and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Mandiant Threat Intelligence indicator.
Note: For the ingestion playbooks to work you must install and configure the following solution packs:
For more information on solution packs see the respective solution pack document on the Content Hub Portal.
To begin configuring data ingestion, click Configure Data Ingestion on the Mandiant Threat Intelligence connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Mandiant Threat Intelligence data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch indicators from Mandiant Threat Intelligence.
You can pull indicators from Mandiant Threat Intelligence by selecting the reputation of the indicator (choose between Good, Suspicious, Malicious, No Reputation Available, or TBD) that you want to retrieve from Mandiant Threat Intelligence. Additionally, you can also specify filters such as the confidence level, TLP set, and the age of the indicator.
The fetched data is used to create a mapping between the Mandiant Threat Intelligence data and FortiSOAR™'s Threat Feed. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested Mandiant Threat Intelligence data to the fields of an indicator present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the pattern parameter of an ingested indicator from Mandiant Threat Intelligence to the value parameter of a FortiSOAR™ threat feed, click the Value field and then click the pattern field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Mandiant Threat Intelligence, so that the content gets pulled from the Mandiant Threat Intelligence integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull indicators from Mandiant Threat Intelligence every 5 minutes, click Every X Minute, and in the minute box enter /*5. This means that the indicators will be pulled from Mandiant Threat Intelligence every 5 minutes:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
Mandiant Threat Intelligence provides automated access to indicators of compromise (IOCs) — IP addresses, domain names, URLs threat actors are using, via the indicators, allows access to full length finished intelligence in the reports, allows for notification of threats to brand and keyword monitoring via the alerts, and finally allows searching for intelligence on the adversary with the search.
This connector has a dependency on the Threat Intel Management Solution Pack. Install the Solution Pack before enabling ingestion of Threat Feeds from this source.
This document provides information about the Mandiant Threat Intelligence Connector, which facilitates automated interactions, with a Mandiant Threat Intelligence server using FortiSOAR™ playbooks. Add the Mandiant Threat Intelligence Connector as a step in FortiSOAR™ playbooks and perform automated operations with Mandiant Threat Intelligence.
Connector Version: 1.1.0
FortiSOAR™ Version Tested on: 7.4.1-3167
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Mandiant Threat Intelligence Connector in version 1.1.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-mandiant-threat-intel
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Mandiant Threat Intelligence connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | The service-based URI to connect and perform the automated operations. |
| Public Key | The unique Mandiant Threat Intelligence Public Key used to create an authentication token required to access the Mandiant Threat Intelligence API. |
| Private Key | The unique Mandiant Threat Intelligence Private Key used to create an authentication token required to access the Mandiant Threat Intelligence API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Indicators | Retrieves all indicators or specific indicators from Mandiant Threat Intelligence based on the input parameters you have specified. | get_indicators Investigation |
| Get Reports | Retrieves all reports or specific reports for threat actors from Mandiant Threat Intelligence based on the input parameters you have specified. | get_reports Investigation |
| Get Alerts | Retrieves all alerts or specific alerts from Mandiant Threat Intelligence based on the input parameters you have specified. | get_alerts Investigation |
| Search Collections | Retrieves all collections or specific collections from Mandiant Threat Intelligence based on the input parameters you have specified. | search_collections Investigation |
| Fetch Indicators | Retrieves all indicators or specific indicators from Mandiant Threat Intelligence based on the input parameters you have specified. | fetch_indicators Investigation |
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| STIX UUID | Specify the STIX ID of the alert object based on which you want to retrieve indicators from Mandiant Threat Intelligence. |
| Status | Select the status of the indicator based on which you want to filter the indicators retrieved from Mandiant Threat Intelligence. You can choose between Active or Revoked. |
The output contains the following populated JSON schema:
{
"id": "",
"type": "",
"objects": [
{
"id": "",
"name": "",
"type": "",
"labels": [],
"created": "",
"revoked": "",
"modified": "",
"is_family": "",
"description": "",
"spec_version": "",
"malware_types": [],
"object_marking_refs": []
},
{
"id": "",
"type": "",
"created": "",
"revoked": "",
"modified": "",
"source_ref": "",
"target_ref": "",
"spec_version": "",
"relationship_type": ""
},
{
"id": "",
"type": "",
"created": "",
"revoked": "",
"modified": "",
"source_ref": "",
"target_ref": "",
"spec_version": "",
"relationship_type": ""
},
{
"id": "",
"type": "",
"labels": [],
"created": "",
"pattern": "",
"revoked": "",
"modified": "",
"confidence": "",
"valid_from": "",
"valid_until": "",
"pattern_type": "",
"spec_version": "",
"indicator_types": [],
"object_marking_refs": [],
"x_fireeye_com_metadata": {
"subscriptions": []
}
},
{
"id": "",
"name": "",
"type": "",
"labels": [],
"created": "",
"revoked": "",
"modified": "",
"spec_version": "",
"infrastructure_types": []
},
{
"id": "",
"type": "",
"created": "",
"definition": {
"tlp": ""
},
"definition_type": ""
},
{
"id": "",
"type": "",
"created": "",
"definition": {
"statement": ""
},
"spec_version": "",
"created_by_ref": "",
"definition_type": ""
},
{
"id": "",
"name": "",
"type": "",
"created": "",
"modified": "",
"spec_version": "",
"identity_class": "",
"object_marking_refs": []
}
],
"spec_version": ""
}
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| Report ID | Specify the STIX ID of the report object based on which you want to retrieve reports from Mandiant Threat Intelligence. |
| Document ID | Specify the Report ID to filter this operation to retrieve details of the specific report from Mandiant Threat Intelligence. |
| Status | Select the status of the report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. You can choose from following options:
|
| Subscription | Select the subscription of the report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
| Report Type | Specify the type of report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. |
| Actor Name | Specify the name of the actor based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. This parameter filters the report results down to a specific actor and returns all matching reports for that actor. |
| Malware Name | Specify the name of the malware based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. This parameter filters the report results down to a specific malware family and returns all matching reports for that malware family. |
The output contains the following populated JSON schema:
{
"id": "",
"type": "",
"objects": [
{
"type": "",
"spec_version": "",
"id": "",
"created_by_ref": "",
"created": "",
"modified": "",
"name": "",
"description": "",
"report_types": [],
"published": "",
"object_marking_refs": [],
"x_fireeye_com_additional_description_sections": {
"analysis": [],
"key_points": []
},
"object_refs": [],
"x_fireeye_com_tracking_info": {
"document_version": "",
"current_release_date": "",
"document_id": ""
},
"x_fireeye_com_metadata": {
"product_type": [],
"subscriptions": []
}
}
]
}
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the alerts were created in Mandiant Threat Intelligence, and from when you want to retrieve alerts from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| ID | Specify the STIX ID of the alert object based on which you want to retrieve alerts from Mandiant Threat Intelligence. |
| Alert Type | Select the type of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
| Alert Status | Select the status of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
| Alert Categories | Select the category of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
| Alert Severity | Select the severity of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options:
|
The output contains the following populated JSON schema:
{
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"alert_type": "",
"name": "",
"status": "",
"alert_context": [],
"prerequisite_conditions": [],
"object_refs": [],
"action_nature": "",
"description": "",
"created": "",
"modified": "",
"alert_severity": {
"severity_score": ""
},
"spec_version": ""
},
{
"id": "",
"type": "",
"created": "",
"created_by_ref": "",
"definition_type": "",
"definition": {
"statement": ""
},
"spec_version": ""
},
{
"id": "",
"name": "",
"type": "",
"identity_class": "",
"created": "",
"modified": "",
"object_marking_refs": [],
"spec_version": ""
}
],
"id": "",
"type": ""
}
| Parameter | Description |
|---|---|
| Queries | Specify the queries using which you want to retrieve the list of Query Objects from Mandiant Threat Intelligence. Each query object includes its type and properties. |
| Include Connected Objects | Select this option to include objects connected to matching objects, through a reference or relationship, in the search response. |
| Connected Objects | Specify the list of all connections using which you want to retrieve connected objects from Mandiant Threat Intelligence. Connections contain fields such as connection_type, connected_type, object_type, property, or relationship_type. |
| Sort By | Specify the property of the object using which you want to sort results retrieved from Mandiant Threat Intelligence.
NOTE: Sort By is applicable only when the |
| Order By | Specify the sort direction of the results retrieved from Mandiant Threat Intelligence. You can set the sort order to "asc" (ascending) or "desc" (descending). If the sort order is not specified, it defaults to ascending.
NOTE: Sort Order is applicable only when the |
The output contains a non-dictionary value.
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| STIX UUID | Specify the STIX ID of the alert object based on which you want to retrieve indicators from Mandiant Threat Intelligence. |
| Status | Select the status of the indicator based on which you want to filter the indicators retrieved from Mandiant Threat Intelligence. You can choose between Active or Revoked. |
The output contains the following populated JSON schema:
{
"id": "",
"type": "",
"objects": [
{
"id": "",
"type": "",
"labels": [],
"created": "",
"pattern": "",
"revoked": "",
"modified": "",
"confidence": "",
"valid_from": "",
"pattern_type": "",
"spec_version": "",
"indicator_types": [],
"object_marking_refs": [],
"x_fireeye_com_metadata": {
"subscriptions": []
}
}
],
"spec_version": ""
}
The Sample - mandiant-threat-intel - 1.1.0 playbook collection comes bundled with the Mandiant Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Mandiant Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling indicators from Mandiant Threat Intelligence. Currently, the indicators ingested from Mandiant Threat Intelligence is mapped to Threat Feeds in FortiSOAR™'s Threat Intel Management. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Mandiant Threat Intelligence Feeds to FortiSOAR™ Threat Feeds.
The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Mandiant Threat Intelligence into FortiSOAR™. It also lets you pull some sample data from Mandiant Threat Intelligence using which you can define the mapping of data between Mandiant Threat Intelligence and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Mandiant Threat Intelligence indicator.
Note: For the ingestion playbooks to work you must install and configure the following solution packs:
For more information on solution packs see the respective solution pack document on the Content Hub Portal.
To begin configuring data ingestion, click Configure Data Ingestion on the Mandiant Threat Intelligence connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Sample Data screen.
Sample data is required to create a field mapping between Mandiant Threat Intelligence data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch indicators from Mandiant Threat Intelligence.
You can pull indicators from Mandiant Threat Intelligence by selecting the reputation of the indicator (choose between Good, Suspicious, Malicious, No Reputation Available, or TBD) that you want to retrieve from Mandiant Threat Intelligence. Additionally, you can also specify filters such as the confidence level, TLP set, and the age of the indicator.
The fetched data is used to create a mapping between the Mandiant Threat Intelligence data and FortiSOAR™'s Threat Feed. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested Mandiant Threat Intelligence data to the fields of an indicator present in FortiSOAR™.
To map a field, click the key in the sample data to add the Jinja value of the field. For example, to map the pattern parameter of an ingested indicator from Mandiant Threat Intelligence to the value parameter of a FortiSOAR™ threat feed, click the Value field and then click the pattern field to populate its keys:
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
(Optional) Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Mandiant Threat Intelligence, so that the content gets pulled from the Mandiant Threat Intelligence integration into FortiSOAR™
On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
In the Configure Schedule Settings section, specify the Cron expression for the schedule. For example, if you want to pull indicators from Mandiant Threat Intelligence every 5 minutes, click Every X Minute, and in the minute box enter /*5. This means that the indicators will be pulled from Mandiant Threat Intelligence every 5 minutes:
Once you have completed scheduling, click Save Settings & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.